Yino.ai - Agent First AI Music Video Generator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its media-generation purpose, but its setup instructions can print your Yino API key into the agent’s output or logs.
Before installing, verify that you trust the Yino service and this skill’s publisher. Do not run the `echo $YINO_API_KEY` check; use a non-printing environment-variable check instead. Only upload media files and save workspace notes that you are comfortable sharing or persisting.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Yino API key could be revealed beyond the narrow API-call use case, increasing the chance someone else can use your account or credits.
The skill instructs the agent to print the API key as a preflight check. Checking whether a secret exists is reasonable, but printing the secret can expose it in tool output, logs, or agent context.
`echo $YINO_API_KEY` — must be set. Get one at https://yino.ai/settings
Do not print the API key. Use a non-revealing check such as testing whether the variable is set, and rotate the key if it was already exposed.
Files you select for generation may leave your machine and be processed by yino.ai.
The skill allows the agent to upload local image or audio files to the Yino API. This is expected for media generation, but the file choice should remain user-directed.
When you need to provide a file (image, audio), upload it first: ... `-F "file=@path/to/file"`
Only upload files you intentionally want to share with the service, and avoid sensitive or private media unless you trust the provider.
It may be harder to verify who maintains the skill before granting it access to a Yino API key.
The registry metadata does not provide a source repository or homepage for independent verification. There is no install code here, so this is a provenance note rather than direct evidence of malicious behavior.
Source: unknown; Homepage: none
Verify the provider and skill owner through trusted channels before using a real API key.
Creative prompts or preferences you approve for saving may persist in your workspace and influence future sessions.
The skill may persist common generation parameters in workspace notes. It explicitly requires asking first, which keeps this purpose-aligned, but saved prompts or style settings can be reused later.
ask if they'd like you to save the common parameters as a note in their workspace. Don't save anything without asking.
Only approve saving non-sensitive reusable settings, and remove saved notes if you no longer want them reused.